/*
 * JBoss, a division of Red Hat
 * Copyright 2011, Red Hat Middleware, LLC, and individual
 * contributors as indicated by the @authors tag. See the
 * copyright.txt in the distribution for a full listing of
 * individual contributors.
 *
 * This is free software; you can redistribute it and/or modify it
 * under the terms of the GNU Lesser General Public License as
 * published by the Free Software Foundation; either version 2.1 of
 * the License, or (at your option) any later version.
 *
 * This software is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
 * Lesser General Public License for more details.
 *
 * You should have received a copy of the GNU Lesser General Public
 * License along with this software; if not, write to the Free
 * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
 * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
 */

package org.exoplatform.web.security;

import java.lang.reflect.Method;

import javax.security.auth.login.LoginException;
import javax.servlet.http.HttpServletRequest;

import org.exoplatform.container.ExoContainer;
import org.exoplatform.services.log.ExoLogger;
import org.exoplatform.services.log.Log;
import org.exoplatform.services.security.Authenticator;
import org.exoplatform.services.security.Identity;
import org.exoplatform.services.security.UsernameCredential;
import org.exoplatform.services.security.jaas.AbstractLoginModule;
import org.gatein.wci.security.Credentials;

/**
 * A login module implementation that is used to handle reauthentication of client with same HTTP session on various cluster
 * nodes. After login of user on cluster node is attribute "authenticatedCredentials" added to HTTP session in method
 * {@link #commit()}. Other cluster nodes can than read these credentials in method {@link #login()}, and can reuse them to
 * relogin.
 *
 * @author <a href="mailto:julien.viet@exoplatform.com">Julien Viet</a>
 * @version $Revision$
 *
 * @deprecated Cluster authentication is now handled by PortalClusteredSSOSupportValve and
 *             this login module is no longer used. Likely will be removed in the future.
 */
public class PortalLoginModule extends AbstractLoginModule {

    /** Logger. */
    private static final Log log = ExoLogger.getLogger(PortalLoginModule.class);

    /** JACC get context method. */
    private static final Method getContextMethod;

    static {
        Method getContext = null;

        log.debug("About to configure PortalLoginModule");
        try {
            Class<?> policyContextClass = Thread.currentThread().getContextClassLoader()
                    .loadClass("javax.security.jacc.PolicyContext");
            getContext = policyContextClass.getDeclaredMethod("getContext", String.class);
        } catch (ClassNotFoundException ignore) {
            log.debug("JACC not found ignoring it", ignore);
        } catch (Exception e) {
            log.error("Could not obtain JACC get context method", e);
        }

        //
        getContextMethod = getContext;
    }

    public static final String AUTHENTICATED_CREDENTIALS = "authenticatedCredentials";

    private static final String LOGIN_ON_DIFFERENT_NODE = "PortalLoginModule.loginOnDifferentNode";

    /**
     * @see javax.security.auth.spi.LoginModule#login()
     */
    @SuppressWarnings("unchecked")
    public boolean login() throws LoginException {
        if (getContextMethod != null) {
            Credentials authCredentials = null;

            try {
                HttpServletRequest request = getCurrentHttpServletRequest();

                // This can be the case with CLI login
                if (request == null) {
                    log.debug("Unable to find HTTPServletRequest.");
                    return false;
                }

                authCredentials = (Credentials) request.getSession().getAttribute(AUTHENTICATED_CREDENTIALS);

                // If authenticated credentials were presented in HTTP session, it means that we were already logged on
                // different cluster node
                // with this HTTP session. We don't need to validate password again in this case (We don't have password anyway)
                if (authCredentials != null) {
                    Authenticator authenticator = (Authenticator) getContainer()
                            .getComponentInstanceOfType(Authenticator.class);
                    if (authenticator == null) {
                        throw new LoginException("No Authenticator component found, check your configuration");
                    }

                    String username = authCredentials.getUsername();
                    Identity identity = authenticator.createIdentity(username);

                    sharedState.put("exo.security.identity", identity);
                    sharedState.put("javax.security.auth.login.name", username);

                    subject.getPublicCredentials().add(new UsernameCredential(username));

                    // Add empty password to subject and remove password key, so that SharedStateLoginModule won't be processed
                    subject.getPrivateCredentials().add("");
                    sharedState.remove("javax.security.auth.login.password");

                    // Add flag that we were logged with real password on different cluster node. Not on this node.
                    sharedState.put(LOGIN_ON_DIFFERENT_NODE, true);
                }
            } catch (Exception e) {
                log.error(this, e);
                LoginException le = new LoginException(e.getMessage());
                le.initCause(e);
                throw le;
            }
        }
        return true;
    }

    /**
     * @see javax.security.auth.spi.LoginModule#commit()
     */
    public boolean commit() throws LoginException {
        // Add authenticated credentials to session only if we were logged on this host with "real" credentials
        if (getContextMethod != null && isClusteredSSO() && sharedState.containsKey("javax.security.auth.login.name")
                && sharedState.containsKey("javax.security.auth.login.password")
                && sharedState.get(LOGIN_ON_DIFFERENT_NODE) == null) {
            String uid = (String) sharedState.get("javax.security.auth.login.name");

            Credentials wc = new Credentials(uid, "");

            HttpServletRequest request = null;
            try {
                request = getCurrentHttpServletRequest();

                // This can be the case with CLI login
                if (request == null) {
                    log.debug("Unable to find HTTPServletRequest.");
                } else {
                    request.getSession().setAttribute(AUTHENTICATED_CREDENTIALS, wc);
                }
            } catch (Exception e) {
                log.error(this, e);
                log.error("LoginModule error. Turn off session credentials checking with proper configuration option of "
                        + "LoginModule set to false");
            }
        }
        return true;
    }

    /**
     * @see javax.security.auth.spi.LoginModule#abort()
     */
    public boolean abort() throws LoginException {
        HttpServletRequest request = getCurrentHttpServletRequest();

        if (request != null) {
            handleCredentialsRemoving(request);
        }

        return true;
    }

    /**
     * @see javax.security.auth.spi.LoginModule#logout()
     */
    public boolean logout() throws LoginException {
        return true;
    }

    @Override
    protected Log getLogger() {
        return log;
    }

    protected static boolean isClusteredSSO() {
        return ExoContainer.getProfiles().contains("cluster");
    }

    /**
     * Remove credentials of authenticated user from AuthenticationRegistry.
     *
     * @param request httpRequest
     */
    protected void handleCredentialsRemoving(HttpServletRequest request) {
        try {
            AuthenticationRegistry authenticationRegistry = (AuthenticationRegistry) getContainer().getComponentInstanceOfType(
                    AuthenticationRegistry.class);
            if (request != null) {
                authenticationRegistry.removeCredentials(request);
            }
        } catch (Exception e) {
            log.debug("Unable to remove credentials from credentialsRegistry.", e);
        }
    }

    private HttpServletRequest getCurrentHttpServletRequest() {
        HttpServletRequest request = null;
        try {
            if (getContextMethod != null) {
                request = (HttpServletRequest) getContextMethod.invoke(null, "javax.servlet.http.HttpServletRequest");
            }
        } catch (Exception e) {
            log.debug("Exception when trying to obtain HTTPServletRequest.", e);
        }

        return request;
    }
}
